Analysis: Professor exposes more voting system flaws

Professor, students expose vulnerabilities in internet-based voting system

Halderman's team modified online ballots; had page play University of Michigan fight song

Halderman says other hackers were guessing at password, and likey would have succeded

As the 2010 midterm elections approach, Dave Schechter has been following voting systems and voter irregularity issues for CNN.

(CNN) -- In a previous posting about voting issues, I mentioned J. Alex Halderman, an assistant professor of engineering and computer science at the University of Michigan, whose "resume" includes hacking into voting machines in the name of exposing security flaws.

It turns out that as I was writing that, Halderman and his students pulled off another coup, exposing vulnerabilities in an internet-based system for overseas and military voters that the District of Columbia planned to test in the November election.

"Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters' secret ballots," Halderman wrote on his blog.

Along the way, Halderman's team "collected crucial secret data stored on the server," "modified all the ballots that had already been cast to contain write-in votes for candidates we selected," "installed a back door that let us view any ballots that voters cast after our attack," and -- best of all -- "left a 'calling card' on the system's confirmation screen, which voters see after voting."

After 15 seconds, the page plays the University of Michigan fight song. Here's a demonstration.

The "Wolverines" attack on D.C.'s experiment went undetected, Halderman said, until the fight song ("Hail to the Victors") was discovered.

To be fair, the people running the D.C. pilot program made a couple of weeks available for outsiders to have a crack at their system. While Halderman and his students did their best in the name of protecting the sanctity of the voting process, it appears that there were others with potentially less-friendly motives also taking advantage of the test period.

Testifying before the D.C. Board of Ethics and Elections -- in a virtually empty room, according to news reports -- Halderman dropped this bomb: "While we were in control of these systems we observed other attack attempts originating from computers in Iran and China. These attackers were attempting to guess the same master password that we did. And since it was only four letters long, they would likely have soon succeeded."

Halderman's team even changed the D.C. system's password (who uses a four-letter password?) to thwart the foreign intrusions.

Granted, this was a test and only a test of a small pilot program. But the idea of attempts from outside of the United States to compromise the security of the most basic of American rights should worry anyone who cares about the political process.

Flaws in the D.C. system wasn't the only issue making news:

• The Brennan Center for Justice at New York University's School of Law spotlights three potential threats: voter registration problems (3 million people were unable to vote in 2008 because of such issues and registration efforts are notably fewer than the last election), ballot "security" operations (often allegations of voter suppression or intimidation) and voting machines.

• The Sentencing Project reports that between 1997 and 2010 an estimated 800,000 people convicted of felonies regained their right to vote, as 23 states have, in varying fashions, changed their laws on the subject.

• Concerns remain about U.S. military personnel stationed overseas getting ballots from their home states in time to vote and mail back before Election Day. Several states received waivers from a new requirement that ballots be mailed out by 45 days before the election, to ensure their return on time.

• If you're interested in following current court cases involving voting issues, check out this website from the Moritz College of Law at The Ohio State University.